mozilla-sandbox-fips.patch
author Wolfgang Rosenauer <wr@rosenauer.org>
Tue, 25 Aug 2020 21:31:17 +0200
branchfirefox80
changeset 1142 c5e32127317c
parent 1123 7fa561e5d7c7
permissions -rw-r--r--
further FIPS patch (from https://github.com/openSUSE/firefox-maintenance/commit/23d322af9566055af016e6e409dcc3c9856c3666)
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1142
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
     1
From: meissner@suse.com, cgrobertson@suse.com
1123
7fa561e5d7c7 Firefox 74.0
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff changeset
     2
Subject: allow Firefox to access addtional process information
1142
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
     3
References:
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
     4
http://bugzilla.suse.com/show_bug.cgi?id=1167132
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
     5
bsc#1174284 - Firefox tab just crashed in FIPS mode
1123
7fa561e5d7c7 Firefox 74.0
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff changeset
     6
1142
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
     7
diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
     8
--- a/security/sandbox/linux/Sandbox.cpp
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
     9
+++ b/security/sandbox/linux/Sandbox.cpp
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    10
@@ -647,16 +647,17 @@ void SetMediaPluginSandbox(const char* a
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    11
     SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    12
                       strerror(errno));
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    13
     MOZ_CRASH("failed while trying to open the plugin file ");
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    14
   }
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    15
 
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    16
   auto files = new SandboxOpenedFiles();
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    17
   files->Add(std::move(plugin));
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    18
   files->Add("/dev/urandom", true);
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    19
+  files->Add("/dev/random", true);
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    20
   files->Add("/etc/ld.so.cache");  // Needed for NSS in clearkey.
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    21
   files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    22
   files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    23
   files->Add("/proc/cpuinfo");  // Info also available via CPUID instruction.
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    24
   files->Add("/proc/sys/crypto/fips_enabled");  // Needed for NSS in clearkey.
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    25
 #ifdef __i386__
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    26
   files->Add("/proc/self/auxv");  // Info also in process's address space.
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    27
 #endif
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    28
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    29
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    30
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    31
@@ -308,16 +308,18 @@ void SandboxBrokerPolicyFactory::InitCon
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    32
     policy->AddDir(rdwr, "/dev/dri");
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    33
   }
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    34
 
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    35
   // Bug 1575985: WASM library sandbox needs RW access to /dev/null
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    36
   policy->AddPath(rdwr, "/dev/null");
1123
7fa561e5d7c7 Firefox 74.0
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff changeset
    37
 
7fa561e5d7c7 Firefox 74.0
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff changeset
    38
   // Read permissions
7fa561e5d7c7 Firefox 74.0
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff changeset
    39
   policy->AddPath(rdonly, "/dev/urandom");
1142
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    40
+  policy->AddPath(rdonly, "/dev/random");
1123
7fa561e5d7c7 Firefox 74.0
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff changeset
    41
+  policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
7fa561e5d7c7 Firefox 74.0
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff changeset
    42
   policy->AddPath(rdonly, "/proc/cpuinfo");
7fa561e5d7c7 Firefox 74.0
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff changeset
    43
   policy->AddPath(rdonly, "/proc/meminfo");
7fa561e5d7c7 Firefox 74.0
Wolfgang Rosenauer <wr@rosenauer.org>
parents:
diff changeset
    44
   policy->AddDir(rdonly, "/sys/devices/cpu");
1142
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    45
   policy->AddDir(rdonly, "/sys/devices/system/cpu");
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    46
   policy->AddDir(rdonly, "/lib");
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    47
   policy->AddDir(rdonly, "/lib64");
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    48
   policy->AddDir(rdonly, "/usr/lib");
c5e32127317c further FIPS patch
Wolfgang Rosenauer <wr@rosenauer.org>
parents: 1123
diff changeset
    49
   policy->AddDir(rdonly, "/usr/lib32");